Despite the proliferation and availability of computer security software and services, users of the Internet continue to be concerned about the trustworthiness of remote services. Verifying the authenticity of a server that a user connects to (e.g., through server certificate authentication) is no longer sufficient to ensure that a user is interacting with the intended service software running on the server. The trustworthiness of the service may be easily compromised, for example, by root kits, Trojan horses and viruses affecting the service software. As a result, even once the authenticity of the server is verified by conventional means, the user still risks receiving a bogus response and/or compromising the confidentiality of personal, confidential data which they have supplied during the transaction.
Several software attestation based methods have been developed recently that seek to ensure code genuineness and integrity on untrusted hosts. However, these methods fall short of guaranteeing continuous trustworthiness of remote services during and after a service transaction involving a user's confidential data. Generally, most known methods that attempt to verify the service's trustworthiness in delivering a response are employed before the transaction occurs, i.e., pre-transaction. For example, the trustworthiness of the service at the time the remote code is loaded can be verified by computing a hash value of the loaded program which can later be used by a remote user to verify against the system's loaded code. This load-time attestation method, however, is difficult to implement, and still does not guarantee trustworthiness at the time of execution, or after the conclusion of the transaction.
Moreover, it is difficult to evaluate trust by verifying attestation results in accordance with the existing attestation based methods. For instance, in Sailer, et al., “Design and implementation of a TCG-based integrity measurement architecture,” Proceedings of 13th USENIX Security Symposium (2004), all files on the service platform are attested. This approach is subject to false positives, in that even if a single bit is changed in a file irrelevant to the service, the established trust must be revoked. Others have attempted to mitigate this problem by attesting the entire virtual machine image at block level, as described in Garfinkel, et al., “Terra: A virtual machine-based platform for trusted computing,” Proceedings of the 19th ACM Symposium on Operating Systems Principles (2003). However, the attestation results produced are difficult for the common user to understand and evaluate, rendering the method impractical to implement.
Finally, the conventional methods do not address the problem of preserving the confidentiality of a user's confidential data supplied to the remote service, both during and after the transaction. Accordingly, none of the known methods provide continuous trustworthiness of remote services across all phases of a service transaction (before, during, and after the transaction).
There is a need, therefore, for a method and system for providing trusted service transactions which attests to the continuous trustworthiness of remote services to a service requester and which protects the privacy of user-provided data.